Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit, probably more


  • This topic is locked This topic is locked
2 replies to this topic

#1 missminerva

missminerva

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 16 February 2010 - 07:44 PM

Hi all. New here. Things started with the security-essentials-2010 virus. I think I got most of that cleaned, at least no more "Buy Me!" pop ups. Now I am being constantly redirected to web sites. Malwarebytes and Hitman Pro say they removed this: C:\Windows\system32\Drivers\dhsxog.sys (Rootkit.Agent) but, it never goes away.
Running Vista SP2 on Dell Inspiron 530.

I am also getting warnings from Avira saying, "Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML Script Virus". I put these in quarantine. They come from random web sites that I go to regularlly. Not sure what all you need to know. Please let me know. Enough blathering. Here's my DDS and GMER logs. Thanks so much for any help!!



DDS (Ver_09-12-01.01) - NTFSx86
Run by Jan at 17:42:31.38 on Tue 02/16/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vistaâ„¢ Home Basic 6.0.6002.2.1252.1.1033.18.3060.2046 [GMT -6:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k wdisvc
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jan\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.tmz.com/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080805
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {7AFD21AD-B3D5-4700-AD74-B56FFA402841} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PMX Daemon] ICO.EXE
StartupFolder: c:\users\jan\appdata\roaming\micros~1\windows\startm~1\programs\startup\winmai~1.lnk - c:\program files\windows mail\WinMail.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: buy-security-essentials.com
Trusted Zone: download-soft-package.com
Trusted Zone: download-software-package.com
Trusted Zone: get-key-se10.com
Trusted Zone: is-software-download.com
Trusted Zone: buy-security-essentials.com
Trusted Zone: get-key-se10.com
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: lehelojo.dll c:\windows\system32\pozimadu.dll
SSODL: magugasek - {8a97161e-4ef1-41b9-9e46-a0cd363fd998} - No File
STS: {8a97161e-4ef1-41b9-9e46-a0cd363fd998} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\byXNgfCV
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\jan\appdata\roaming\mozilla\firefox\profiles\n1s69m9j.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\jan\appdata\roaming\move networks\plugins\npqmp071505000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-1 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-1 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-1 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-1 56816]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-2-16 1153368]
S2 MSMQSVC;Message Queuing Service;c:\windows\system32\mqsv32.exe --> c:\windows\system32\mqsv32.exe [?]
S2 sscSched;sscSched;c:\windows\system32\sscsched.exe --> c:\windows\system32\sscsched.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-8-4 33808]
S4 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2009-3-1 81920]

=============== Created Last 30 ================

2010-02-16 22:46:38 234 ----a-w- c:\windows\system32\.crusader
2010-02-16 22:43:19 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-02-16 22:42:32 0 d-----w- c:\programdata\Hitman Pro
2010-02-16 22:42:30 0 d-----w- c:\program files\Hitman Pro 3.5
2010-02-16 21:41:27 0 d-----w- c:\users\jan\appdata\roaming\Frogwares
2010-02-16 16:12:43 0 d-----w- c:\program files\Trend Micro
2010-02-16 15:55:21 0 d-----w- c:\programdata\IObit
2010-02-16 14:40:09 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-16 14:40:09 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-16 01:46:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-16 01:46:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-16 01:46:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 22:50:16 791552 ----a-w- c:\windows\system32\drivers\dhsxog.sys
2010-02-14 20:50:55 0 d-----w- c:\users\jan\appdata\roaming\Settlement. Colossus
2010-02-05 05:05:33 0 d-----w- c:\program files\Games
2010-01-31 04:23:51 0 d-----w- c:\windows\system32\20-20 Technologies
2010-01-28 20:20:21 0 d-----w- c:\programdata\Rumbic Studio
2010-01-28 20:18:00 0 d-----w- c:\program files\LeeGTs Games
2010-01-28 04:45:41 0 d-----w- c:\programdata\Sun
2010-01-23 16:18:41 0 d-----w- c:\program files\common files\xing shared
2010-01-23 16:18:28 348160 ----a-w- c:\windows\system32\msvcr71.dll

==================== Find3M ====================

2010-01-12 22:10:34 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-12 22:10:34 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-12 22:10:34 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-17 23:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-12 02:10:02 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-04 22:15:22 44 ----a-w- c:\program files\ws_drm1.txt
2008-10-05 01:52:54 43476 ----a-w- c:\program files\technical.ttf
2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-09-16 21:28:19 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008091620080917\index.dat
2009-05-13 22:47:11 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009051320090514\index.dat
2009-08-31 01:22:00 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009083020090831\index.dat
2008-08-05 01:12:26 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 17:43:30.26 ===============





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-16 18:08:07
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Jan\AppData\Local\Temp\pwldypow.sys


---- System - GMER 1.0.15 ----

SSDT 8C1BD3F4 ZwCreateThread
SSDT 8C1BD3E0 ZwOpenProcess
SSDT 8C1BD3E5 ZwOpenThread
SSDT 8C1BD3EF ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85902C90
Device \FileSystem\fastfat \Fat B03C6A7A

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8556181A

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] dhsxog <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\dhsxog@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\dhsxog@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\dhsxog@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\dhsxog@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\dhsxog@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\dhsxog@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\dhsxog@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\dhsxog@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\dhsxog@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\dhsxog@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\dhsxog@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\dhsxog@Group Boot Bus Extender

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



Please and Thank You! smile.gif

Attached Files


Edited by Orange Blossom, 16 February 2010 - 07:47 PM.
Forum glitch. ~ OB


BC AdBot (Login to Remove)

 


#2 missminerva

missminerva
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 19 February 2010 - 01:37 AM

I seem to have cleaned this up myself. Still going to thank bleepingcomputer, though. I read hundreds of posts and solutions and checked out all the tools that were recommended. Finally got rid of everything using Gmer, SUPERAntiSpyware, TDSSKiller. Just got a clean scan from Avira, Malwarebytes, SAS and TDSSKiller. If I ever do anything stupid again, I will come back here. What a great site. With the perfect name, I might add.


thumbup.gif

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:40 AM

Posted 19 February 2010 - 05:36 AM

Glad you were able to resolve this smile.gif

This topic will now be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users